Richard Bejtlich's blog on digital security, strategic thought, and military history.

Saturday, January 16, 2010

What Is APT and What Does It Want?

This has been the week to discuss the advanced persistent threat, although some people are already telling me Google v China with respect to APT is "silly," or that the attack vectors were what everyone has been talking about for years, and were somewhat sloppily orchestrated at that.

I think many of these critics are missing the point. As is often the case with sensitive issues, 1) those who know often can't say and 2) those who say often don't know. There are some exceptions worth noting!

One company that occupies a unique position with respect to this problem is Mandiant. Keep an eye on the APT tag of their M-unition blog. Mandiant's role as a consulting firm to many APT victims helps them talk about what they see without naming any particular victim.

I also recommend following Mike Cloppert's posts. He is a deep thinker with respect to counter-APT operations. Incidentally I agree with Mike that the US Air Force invented the term "advanced persistent threat" around 2006, not Mandiant.

Reviewing my previous blogging, a few old posts stand out. 4 1/2 years ago I wrote Real Threat Reporting, describing the story of Shawn Carpenter as reported by Time magazine. Back then the threat was called "Titan Rain" by Time. (This reflects the use of a so-called "intrusion set" to describe an incident.) Almost a year later Air Force Maj Gen Lord noted"China has downloaded 10 to 20 terabytes of data from the NIPRNet. They're looking for your identity, so they can get into the network as you."

Now we hear of other companies beyond Google involved in this latest incident, including Yahoo, Symantec, Adobe, Northrop Grumman, Dow Chemical, Juniper Networks, and "human rights groups as well as Washington-based think tanks." (Sources 1 and 2.)

Let me put on the flight cap of a formally trained Air Force intelligence officer and try to briefly explain my understanding of APT in a few bullets.

Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.

Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:

Political objectives that include continuing to suppress its own population in the name of "stability."

Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.

We'll be releasing our first report on the APT on January 27. It has an executive overview as well as several in-depth case studies of real APT intrusions. If you or others will be at DoD CyberCrime in St. Louis on the 27th, come by the release party. Or send mail to info@mandiant.com to request a copy.

We're featuring a few excerpts from the report on the M-unition blog over the next week or so. mjg-bob says check 'em out.

To the anonymous commenter's question, why aren't the money-stealing gangs considered APT? In our experience, once their theft is executed, they don't establish an occupying force of compromised machines to be used later. Once they steal the money, they tend to take off.

Food for thought. Can it be considered stealing if you know your going to given the information in a years time anyhow when said companies come to you looking for cheap labor, excluding all the state secret type stuff of course? Now that all this has come to light, I have to wonder what will actually be done, beyond the slap on the wrist that is being acted out on the media stage.

Some of Mandiant's latest entries seem to be off in saying that the APT has specific malware characteristics, use specific egress ports, and so forth and then goes on to provide examples that are common in malicious software for each.

Really APT is a made up term (like every other term, has to start somewhere) in the information security space, which by itself is fine if there is no existing term and definition which accurately convey what we're dealing with.

But the definition runs into problems, right off the bat: they don't know if this was an "advanced persistent threat". It was an unknown IE vulnerability, identifiable through browser fuzzing, but we can call that advanced. The rest of the attack appears to use known malware variants. They are assuming the attacks are somehow related to the government of China, but don't really know because they're basing that on what was taken/viewed and IP address, and thus the Persistent part is indeterminate.

So attribution to APT is a problem. From there defining attack characteristics to what could or could not be APT is building a study on a shaky foundation. Besides, the tactics of "the APT" are going to be the tactics of any cracker (albeit the more 'Advanced' attacks by definition).

I really don't get the whole APT discussion, unless its just that we either need something new to talk about or we don't have a good word for targeted advanced attacks.

Gents, while the three-letter acronym APT makes a kind of sense as described, I don't think the world needs another piece of jargon that marketers, inevitably, will flock to. It is as silly as "blended threat," which to me means a hemlock smoothie.

It's all just malware. The intents and goals matter more than the label. Is At Forrester, the only coverage we will be providing of "APT" is to advise customers to ignore the term.

Anonymous, they all do. IMHO compared to other threats, APT deceive you in their silent presence on your networks, degrade your ability to secure your IP (or at minimum degrade your 'perceived' level of security), destroy your already weigning confidence in COTS security products to prevent or detect them, and they directly influnce the way I sleep at night. it's easy to arm-chair quarterback this issue when your not in the incident responders / defenders seat.

Richard, as you state, "APT" is a noun. It is a tool -- malware -- that is used in service of a larger goal. Those goals include sabotage, industrial espionage, subversion and theft. All of these things are specific to the attacker and target.

My concern about pushing the "APT" noun is that it easily becomes "checkboxed" ("do you have anti-APT features in your AV?") and as such distracts customers from the specific threats that may exist to their businesses.

We should be applying better, more precise terms to the actors and their motives, not their tools unless it describes some property of the tool itself. In that respect, "rootkit" is a useful malware sub-category.

So, our advice will be to think not about "APT" but about industrial spies, saboteurs, thieves, unscrupulous competitors and nation-states -- how these actors seek to achieve their goals. This perspective strengthens the case for NSM. By contrast, calling yet another subtype of malware "APT" medicalizes the condition and makes it treatable by charlatans hawking miracle tonics.

That is what I meant by my previous comment, in case it wasn't clear. The term APT is irrelevant. The risks are real.

I don't think I was completely clear in what I was questioning based on your answer about malware and APT being a proper noun. If you look at Mandiant's most recent blog post, they give what are essentially malware characteristics of "APT" attacks. But these seem to be characteristics common in any cyberattack.

So I guess I find myself agreeing with the assertion that there is nothing in the malware itself that requires a new 'APT' definition.

Your point seems to be that APT is all about the adversary and what they're after, characteristics inherent in these two things make something APT.

I guess I'm waiting for someone to compellingly make the case that we need a new word, and that this isn't just a new marketing term. I thought that originally, however reading your coverage I am reconsidering that initial impression. And are we backing into this, someone came up with the term 'APT' and now we're attaching some intelligent meaning to it.

Richard -- re-reading everything you've written in this thread, I understand now that you do not mean APT == malware. Got it.

We also agree that what matters in this discussion is actors, intents and goals. However I still think APT is a poor label, for two reasons:

* Featuritis. Well-meaning but thick-skulled people like me are going to conflate the threat with the malware (as I just did), and this will lead to vendor silliness as discussed.

* Lack of precision. The term APT denotes a lot of different actors and intents, and the only common thread is that the actors aren't opportunists.

If I understand what you mean correctly, then, APT is a threat aimed at "targets of choice" versus the "targets of chance" that a garden-variety malware author might create a dragnet to go after. But I'd rather see more precise terms like "industrial theft," "sabotage" etc rather than the general-purpose acronym APT. Even something like "adversarial threat" (which denotes a bona fide enemy) would be an improvement.

Dk and Andrew, it doesn't matter whether you like the term APT or not. My point is that APT is not a new term. Just because it's popular now doesn't make it new. APT is also not a generic term. It refers to specific actors. People who have been working this problem for several years have all used this term, and don't honestly care what people who don't fight APT think about it.

Interesting, maybe don't try to respond to multiple comments at once, I think the message gets garbled, because the response doesn't really match to what I was asking (its more geared to Andrew). Your more recent post definitely does on attribution.

I first heard APT around three years ago, but since its getting attention now, its worth talking about now. (also why I assume your blogging about it)

Regarding people who use the term APT, the place its being used most recently is marketing materials, and the company you cited earlier most definitely cares what security executives (some who have never heard the term before) think. Plus if I understand your points in this and the more recent post, most senior security executives are up against what are being termed Advanced Persistent Threats.

The fight club defense (you wouldn't question APT if you knew about APT) is rarely a valid logical defense for anything.

Persistent: - Formally tasked? Prove it. Criminals are often formally tasked too.- Not opportunistic? Why? Why rule out a potentially effective way of coming up with new intel or desired targets? Does a phisher who presents only a single bank’s login page qualify as being “not opportunistic”? What if he targets a list of known customers of that bank?- APT = criminal. Nothing distinct in this definition that differentiates the two.

Threat:- It’s been a long time since we’ve had a piece of mindless code roaming around, so I don’t see how this point can be crucial. A botherder who instructs his minions what spam to send and when based on his customers isn’t using a piece of mindless code.- “…organized and funded and motivated” seems to be the “crucial” part. Again, APT = criminal, there is nothing in those terms that distinguish the APT from criminal (unless you want to quantify “funded”).

Why aren’t we simply stating; “APT is attacks done by governments. They are difficult to detect, prevent, or prove.” Why all this other junk?

Russ, of course some of the description for APT will refer to criminal groups. They share various characteristics but they are not the same. For example, criminal groups are in no way as persistent as APT. I know you are focused on criminal groups because it's clear from the (great) Verizon incident reporting that criminals are your primary foes. (Those groups primarily steal PII and financial info. APT does not.) Only two companies regularly provide counter-APT consulting and Verizon is not one of them.

Richard - what about "APT" is not just "competently executed intelligence operations"?? Oh, sure, it involves computers, but so does everything else nowadays. Do we need new terminology? Of course we do - if it's to help market some company's services. I'm disappointed but not surprised to see you falling for the hype.

With respect to "those who talk, don't know. those who know, don't talk" where do you fall? Since you're talking about it, should we assume you don't know what you're talking about?

Seriously, though, saying you're a US Air Force trained security analyst is like saying you have a PhD from a degree mill. You're a smart guy and you're good with tools - let your laurels rest on your accomplishments; ultimately that's all that matters.

At Tenable we're going to be doing some talking about "APT" because everyone else is. But it's just marketing bullshizzle because, apparently, "espionage" isn't sexy enough. You know "espionage" right? That's the problem that all our government agencies have been cheerfully ignoring while rushing to connect everything that holds data to internet-connected networks? It's really pathetic that we need a new term for a problem, in order to market it, and get some attention.

But don't fall for the "maybe if we hype it they'll finally pay attention" trope. It's been tried over and over again - all that happens is that money is spent (misspent, really) This whole "China cyberwar" "APT" kerfuffle has all the hallmarks of a budget-inflation maneuver or a power-grab in which FBI is trying to expand its charter vis a vis DHS. There is nothing new here; do you really think the Chinese have only just started spying on us? They're not as stupid as all the internet security practitioners who are hopping up and down about it.

New terminology is necessary and there are many researchers and authors working on introducing new matrices which address points of confluence between State sponsored and subnational (no matter how one defines subnational - criminal organization, terrorist, activist or points in between). I personally believe that there is nothing new under the sun (like Solomon) and that espionage is as old as time. However, I equally admonish the following: that outside of certain realms (we'll keep it simple and say DoD/Intel Community/DIB) that the activities associated with (and considered common tradecraft which go well beyond that relegated to technologically based systems), the manifestation of formalized professional attacks is new. All the best, see everyone at RSA...Will Gragido

The bottom line is information is leaving CDC, military and government networks regardless of what we call these actors or events, APT or espionage. Nation state threat actors have infiltrated these networks and nobody has a solution on how to get them out and keep them out. A solution needs to developed around the tactics, techniques, and procedures of the adversary. The current day solution seems to focus on reacting to an alert based off of a signature. By that time it is too late and in most cases months too late. It really bothers me that vendors are going to pick up on this and start claiming their product will stop "APT" attacks. I have not seen this yet but I know it's coming.